Description
Administrators may wish to restrict which 'services', logical ports, are allowed through a FortiGate.
This may be to restrict access coming into a network. Filters may be used to control which applications internal users are allowed to access through a FortiGate.
Solution
Controlling Firewall Services are part of policy creation. By default a Firewall policy has the 'ANY' service group chosen as the group of services in a policy.
In this scenario an administrator will group three services to allow.
1. Create new Firewall policy. Firewall > Policy > create new
As part of this step users will select which service to be allowed, denied or sent through a VPN tunnel. With no new service groups created only the default services listed are available.
2. Administrators have all the FortiGate 'Predefined' services to choose from by default. These can be seen in the Firewall > Service menu
3. Also in the Firewall Service menu users can create a new group. This is done by selecting Create New in the Firewall > Service > Group tab
4. With member services grouped together in a new group, this group can be used in a policy of any action type.
These steps can be applied to an Accept, IPSec, Deny or SSL VPN policy. By default the policy list is followed by an implicit deny, this means that if a policy has not been created to Allow a service then it will not be allowed through the FortiGate.
